Access data for 70% of top US and EU websites is being sold on dark web

Top companies across the US and Europe have poor cybersecurity measures that allow hackers to gain access to their systems, according to a High-Tech Bridge report.

Video: The dark web ... in less than two minutesJust what is the dark web? Is it dangerous? Find out here ... in less than two minutes.

The most profitable companies in the US and European Union (EU) are failing on many cybersecurity measures, putting employees and clients at risk, according to a Wednesday report from High-Tech Bridge.

The report examined the 1,000 largest global companies per the Financial Times (FT)—the FT US 500 and the FT Europe 500—and performed a large-scale discovery and non-intrusive assessment of their external web and mobile applications, SSL certificates, web software, and unprotected cloud storage.

Some 62% of US companies and 78% of EU companies had access to at least one website being sold on the dark web, the report found. These ranged from lists of remote S/FTP access, to RCE and SQL injection vulnerabilities compilations, to login and password pairs being sold among dumps of many other compromised websites.

Shadow, legacy, and abandoned IT remains a crucial issue for major enterprises, the report found: About 80% of the discovered applications in these organizations were unknown to cybersecurity teams.

The 500 US companies had a total of 293,512 external systems that were accessible from the internet—42,549 of which had a live web application, according to the report. This means each US company has an average of 85 applications that can be easily discovered externally and are not protected by two-factor authentication or other security controls.

Nearly half of US companies (45%) have invalid SSL certificates because of untrusted Certification Authority (CA), expiration, or issuance for a different domain name, the report found.

Among discovered web applications, more than 98% of those from US companies had no Web Application Firewall (WAF) filtering enabled, or have it in an overly permissive mode, the report found. Another 27% of US companies have at least one external cloud storage accessible without any authentication from the internet.

GDPR compliance also remains a problem, as 16% of US companies have at least two web applications that allow entry of Personally Identifiable Information (PII) and run either a vulnerable version of SSL/TLS, and/or outdated and vulnerable CMS or other web software, the report found.

"The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today," Ilia Kolochenko, CEO and founder of High-Tech Bridge, said in the report. "Large organizations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation. On the other side, cybercriminals are well organized and very proactive. As soon as a new vulnerability is discovered in a popular CMS - they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance."